Bug 2451160 (CVE-2026-23395) - CVE-2026-23395 kernel: Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ
Summary: CVE-2026-23395 kernel: Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_C...
Keywords:
Status: NEW
Alias: CVE-2026-23395
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-25 11:01 UTC by OSIDB Bzimport
Modified: 2026-03-26 11:09 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-25 11:01:51 UTC 
In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: L2CAP: Fix accepting multiple L2CAP_ECRED_CONN_REQ

Currently the code attempts to accept requests regardless of the
command identifier which may cause multiple requests to be marked
as pending (FLAG_DEFER_SETUP) which can cause more than
L2CAP_ECRED_MAX_CID(5) to be allocated in l2cap_ecred_rsp_defer
causing an overflow.

The spec is quite clear that the same identifier shall not be used on
subsequent requests:

'Within each signaling channel a different Identifier shall be used
for each successive request or indication.'
https://www.bluetooth.com/wp-content/uploads/Files/Specification/HTML/Core-62/out/en/host/logical-link-control-and-adaptation-protocol-specification.html#UUID-32a25a06-4aa4-c6c7-77c5-dcfe3682355d

So this attempts to check if there are any channels pending with the
same identifier and rejects if any are found.
Comment 1 Alexander B 2026-03-25 19:06:25 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2026032549-CVE-2026-23395-5e50@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.